b'                                        September 8, 2006\n\n\n\n\nMEMORANDUM TO:            Luis A. Reyes\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  AUDIT OF NRC\xe2\x80\x99S BASELINE SECURITY AND\n                          SAFEGUARDS INSPECTION PROGRAM\n                          (OIG-06-A-21)\n\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on August 15, 2006, have been incorporated, as appropriate, into this\nreport. The agency did not provide formal comments.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff\nduring the audit. If you have any questions or comments about our report, please\ncontact me at 301-415-5915, or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nMichael R. Johnson, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                     AUDIT REPORT\n\n\n                      Audit of NRC\xe2\x80\x99s Baseline Security\n                     and Safeguards Inspection Program\n\n                      OIG-06-A-21 September 8, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                       Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nEXECUTIVE SUMMARY\n\n       BACKGROUND\n\n       The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) Operating Reactor\n       Security Assessment Program addresses the Reactor Oversight\n       Process\xe2\x80\x99s physical protection cornerstone. The Office of Nuclear\n       Security and Incident Response (NSIR) implements the\n       requirements of this program, develops its policies and procedures,\n       and ensures the uniform implementation of the program. Regional\n       administrators are responsible for conducting the assessment\n       reviews and allocating security inspection resources. The program\n       evaluates the performance of operating commercial nuclear power\n       reactor licensees in implementing their security programs and\n       communicating the results to licensee managers, NRC managers,\n       and other stakeholders.\n\n       A primary feature of the security assessment program is the\n       baseline security and safeguards inspection program. NSIR\n       provides overall program direction for the security and safeguards\n       inspection program and provides each region with full time\n       equivalents for the performance of the inspection program.\n       Regional administrators direct the implementation of the program\n       through supervision of the regional security inspection resources.\n       The baseline security and safeguards inspection program was\n       revamped after the events of September 11, 2001. In calendar\n       years 2004 and 2005, the inspection program was modified to\n       focus on new security order requirements. In calendar year 2006,\n       the baseline program was implemented in accordance with\n       Inspection Manual Chapter 2201 without modification for the first\n       time.\n\n       The baseline security and safeguards inspection addresses 12\n       \xe2\x80\x9cinspectable areas\xe2\x80\x9d at nuclear power plants. NRC security\n       inspectors from the regional offices review seven of the inspectable\n       areas. NSIR staff review two of the areas. Inspections of the three\n       remaining areas have not yet been performed. This audit report\n       focuses specifically on the portion of the inspection that is\n       conducted by the regional security inspectors.\n\n       There are currently 22 regional security inspectors. During\n       calendar year 2005, on average, each of the regional security\n       inspectors conducted or participated in five inspections and spent\n       186 hours per inspection on preparation, inspection, and report\n       writing activities. Licensees are billed for the time spent on security\n       inspections. The total cost billed to the licensees during calendar\n       year 2005 for security inspections was $5,616,468.\n\n                                     i\n\x0c                Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\nPURPOSE\n\nThe objective of this audit was to assess the effectiveness of the\nbaseline security and safeguards inspection program by examining\nthe program\xe2\x80\x99s resources, training and qualification requirements,\nand the consistency of program implementation.\n\nRESULTS IN BRIEF\n\nThe revised baseline security and safeguards inspection program is\nproceeding with its first year of full regional implementation. The\nOffice of the Inspector General found that resource levels\nestablished for this program appear to be sufficient as regions have\nbeen able to complete the program requirements even while the\nprogram is more rigorous than the prior program; however,\nimprovements are needed in:\n\n\xc2\x89   The security training program.\n\n\xc2\x89   The subjective approaches used by NRC inspectors in\n    determining the depth and scope of review needed to assess\n    plant security program elements.\n\n\xc2\x89   The historical information provided to the Security Findings\n    Review Panel in the inspection finding worksheets.\n\n       Security Training Program Needs Improvement\n\nNRC\xe2\x80\x99s security training program is in need of improvement to\nprovide assurance that key personnel have the appropriate\nknowledge and information to complete the inspection program.\nSpecifically, (1) regional security inspectors are not receiving\nrelevant training or refresher training, (2) the qualification boards\nare inconsistent, (3) non-security staff with oversight responsibility\nare not receiving security training, and (4) the training program has\nnot been updated.\n\n\n\n\n                              ii\n\x0c               Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nThis occurred because NRC management has not centralized the\nNRC security training program. Without an available, current, and\neffective training program, there is no assurance that the security\nprogram is running efficiently and that security personnel have a\nconsistent level of security knowledge.\n\n      Depth-of-Review Guidance is Lacking\n\nWithin the baseline security and safeguards inspection program,\nregional security inspectors examine a prescribed number of\nspecific security program requirements to assess each inspectable\narea. However, NRC regional security inspectors employ\nsubjective approaches to examine each of these requirements.\nThis occurs because NRC inspection procedures specify the\nnumber and type of requirements to review, but do not provide\nspecific guidance on what constitutes an adequate review of each\nrequirement. This can result in inspections that vary in scope and\ndepth.\n\n      No Systematic Process for Compiling Historical Data\n\nThe Security Findings Review Panel needs to have complete\nhistorical information on security-related findings. This is so the\nvoting panel members can perform their responsibilities of ensuring\nNRC is consistent in its regulatory response to findings across the\nnuclear industry. Yet, there is no guarantee that the historical\ninformation is complete because there is no systematic process for\ncompiling the historical data and the existing process relies on the\nmemory of the regional security inspectors. Furthermore, a\ncentralized database of security findings maintained by NSIR,\nwhich could serve this purpose, has not been shared with the\nregions. As a result, the consistent handling of security findings is\nnot well supported.\n\nRECOMMENDATIONS\n\nThis report makes eight recommendations to assure the provision\nof adequate security training and the implementation of an effective\nbaseline security and safeguards inspection program.\n\nAGENCY COMMENTS\n\nDuring an exit conference held August 15, 2006, the agency\ngenerally agreed with the audit findings and recommendations and\nprovided comments concerning the draft audit report. We modified\nthe report as we determined appropriate in response to these\ncomments. NRC reviewed these modifications and opted not to\nsubmit formal written comments to this final version of the report.\n                            iii\n\x0c   Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                iv\n\x0c                                     Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY............................................................................. i\n    ABBREVIATIONS AND ACRONYMS .......................................................vii\n    I.      BACKGROUND ................................................................................. 1\n    II.     PURPOSE.......................................................................................... 6\n    III.    FINDINGS .......................................................................................... 7\n           A.   SECURITY TRAINING PROGRAM NEEDS IMPROVEMENT ....................... 7\n           B.   DEPTH-OF-REVIEW GUIDANCE IS LACKING ...................................... 17\n           C.   NO SYSTEMATIC PROCESS FOR COMPILING HISTORICAL DATA ......... 23\n    IV.     AGENCY COMMENTS .................................................................... 26\n    V.      CONSOLIDATED LIST OF RECOMMENDATIONS ........................ 27\n\n\n    APPENDIX\n\n\n    A.      SCOPE AND METHODOLOGY....................................................... 29\n\n\n\n\n                                                     v\n\x0c   Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                vi\n\x0c                 Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       DBT     Design Basis Threat\n       IMC     Inspection Manual Chapter\n       NRC     Nuclear Regulatory Commission\n       NSIR    Office of Nuclear Security and Incident Response\n       OIG     Office of the Inspector General\n       ROP     Reactor Oversight Process\n\n\n\n\n                              vii\n\x0c   Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                viii\n\x0c                             Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nI. BACKGROUND\n\n               In accordance with the Atomic Energy Act of 1954, as amended,\n               the Nuclear Regulatory Commission (NRC) is authorized to inspect\n               nuclear power plants to protect public health and safety. The NRC\n               reactor inspection program assesses, through scrutiny of selected\n               samples, whether activities are properly conducted and equipment\n               is properly maintained to ensure safe operations. Inspectors\n               monitor licensee performance, provide inspection findings to\n               licensee management, and conduct followup inspections to ensure\n               that the licensee has taken corrective action. NRC regularly\n               assesses the overall effectiveness of its inspection program for\n               operating reactors through its Reactor Oversight Process (ROP).\n\n               Reactor Oversight Process\n\n               The ROP integrates NRC\xe2\x80\x99s assessment, inspection, and\n               enforcement programs to provide tools for inspecting and\n               assessing licensee performance in a risk-informed, performance-\n               based manner. There are seven \xe2\x80\x9ccornerstones\xe2\x80\x9d in the regulatory\n               oversight framework, which serve as the fundamental building\n               blocks for the ROP. Acceptable licensee performance in these\n               cornerstones provides reasonable assurance that the overall\n               mission of adequate protection of public health and safety is\n               achieved.\n\n               One of the seven ROP cornerstones is intended to provide\n               assurance that the physical protection systems at licensee sites\n               can protect against NRC\xe2\x80\x99s design-basis threat for radiological\n               sabotage.1 Licensees are expected to maintain adequate\n               protection against threats of sabotage based on an effective\n               security program that relies on a defense-in-depth approach.\n\n\n\n\n1\n Security programs at NRC-licensed nuclear power reactors are designed to protect against\nspecified threats that are termed the Design Basis Threat (DBT). The DBT characterizes the\nadversary force composition and characteristics against which certain NRC licensees must\ndesign their physical protection systems and response strategies.\n\n\n                                              1\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\nSecured entrance at a nuclear power plant\n\nThe Baseline Security and Safeguards Inspection Program\n\nNRC\xe2\x80\x99s Operating Reactor Security Assessment Program addresses\nthe ROP\xe2\x80\x99s physical protection cornerstone. The Office of Nuclear\nSecurity and Incident Response (NSIR) implements the\nrequirements of this program, develops its policies and procedures,\nand ensures the uniform implementation of the program. Regional\nadministrators are responsible for conducting the assessment\nreviews and allocating security inspection resources. The program\nevaluates the performance of operating commercial nuclear power\nreactor licensees in implementing their security programs and\ncommunicating the results to licensee managers, NRC managers,\nand other stakeholders.\n\nBased on the information gathered, NRC determines the\nappropriate agency response, which varies. The response could\ninclude supplemental inspections, regulatory actions such as\ngranting licenses and issuing orders, and followup to ensure the\nlicensee\xe2\x80\x99s corrective actions are effective. Security assessments\nare not reported publicly (in contrast with reports on other ROP\ncornerstones, which are made public) to prevent adversaries from\nobtaining information that could be used to cause harm to the\n\n\n\n\n                             2\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nUnited States. On April 4, 2006, the Commission approved the\nprovision to make the cover letters for security inspection reports\navailable to the public. The first cover letters were made available\nto the public in April 2006.\n\nA primary feature of the security assessment program is the\nbaseline security and safeguards inspection program. NSIR\nprovides overall program direction for the security and safeguards\ninspection program and provides each region with full time\nequivalents for the performance of the inspection program.\nRegional administrators direct the implementation of the program\nthrough supervision of the regional security inspection resources.\nThe baseline security and safeguards inspection program was\nrevamped after the events of September 11, 2001. In calendars\nyears 2004 and 2005, the inspection program was modified to\nfocus on the new security order requirements. In calendar year\n2006, the baseline security and safeguards inspection program was\nimplemented in accordance with Inspection Manual Chapter (IMC)\n2201 without modification for the first time.\n\nSome of the procedures such as Fitness-for-Duty and Access\nAuthorization are now more rigorous than before and the Owner-\nControlled Area procedures are entirely new. Additionally, the\nprocedures are now a mixture of compliance and performance-\nbased requiring a demonstration of the requirements. NRC IMC\n2201, Appendix A, \xe2\x80\x9cSecurity and Safeguards Baseline Inspection\nProgram,\xe2\x80\x9d outlines the specific requirements for the baseline\nsecurity and safeguards inspection program.\n\nThe baseline security and safeguards inspection program\naddresses 12 \xe2\x80\x9cinspectable areas\xe2\x80\x9d at nuclear power plants. NRC\nsecurity inspectors from the regional offices review seven of the\ninspectable areas. NSIR staff review two of the areas. Inspections\nof the three remaining areas have not yet been performed. This\naudit report focuses specifically on the portion of the inspection that\nis conducted by the regional security inspectors.\n\nTable 1 lists the 12 baseline security and safeguards procedures\ndeveloped to examine the 12 inspectable areas. The table also\nindicates which procedures have been implemented and, for those\nimplemented, whether the review was performed by regional or\nNSIR staff.\n\n\n\n\n                             3\n\x0c                              Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n                Table 1\n\n\n                  Baseline Security and Safeguards Inspection Program Procedures\n\n                 Procedure           Procedure           Regional     NSIR      Not Yet\n                  Number                Title           Inspection Inspection Implemented\n                                 Access\n                  71130.01                                    9\n                                 Authorization\n                  71130.02       Access Control               9\n                                 Contingency\n                                 Response \xe2\x80\x93\n                  71130.03                                                    9\n                                 Force-on-Force\n                                 Testing\n                                 Equipment\n                                 Performance,\n                  71130.04                                    9\n                                 Testing and\n                                 Maintenance\n                                 Protective\n                  71130.05       Strategy                     9\n                                 Evaluation\n                                 Security Plan\n                  71130.06                                                    9\n                                 Changes\n                                 Security\n                  71130.07                                    9\n                                 Training\n                                 Fitness-for-Duty\n                  71130.08                                    9\n                                 Program\n                                 Owner-\n                  71130.09       Controlled Area              9\n                                 Controls\n                                 Information\n                  71130.10       Technology                                                     9\n                                 Security\n                                 Materials\n                  71130.11       Control and                                                   92\n                                 Accountability\n                                 Physical\n                                 Protection of\n                  71130.12                                                                      9\n                                 Shipments of\n                                 Irradiated Fuel\n\n\n\n\n2\n  While NSIR has initiated inspections of Materials Control and Accountability at each power plant\nin accordance with inspection instructions which will be translated into permanent inspection\nprocedures, the program has not been fully implemented.\n\n\n                                                4\n\x0c                               Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n                At the conclusion of each security inspection, inspectors present\n                their findings to NSIR\xe2\x80\x99s Security Findings Review Panel. The\n                Security Findings Review Panel is a multidisciplinary group chaired\n                by NSIR and made up of headquarters and regional representation\n                that reviews the security inspection findings for accuracy,\n                consistency, and relevance to requirements. The findings are\n                presented on worksheets used to support the Security Findings\n                Review Panel process. After the Security Findings Review Panel\n                performs its review, the inspectors prepare inspection reports listing\n                significant security and safeguards inspection findings. Such\n                findings are then entered into a plant issues matrix so they can be\n                monitored and tracked during followup inspections.\n\n                There are currently 22 regional security inspectors. 3 During\n                calendar year 2005, on average, each of the then 21 regional\n                security inspectors conducted or participated in five inspections and\n                spent 186 hours per inspection on preparation, inspection, and\n                report writing activities. Licensees are billed for the time spent on\n                security inspections. The total cost billed to the licensees during\n                calendar year 2005 for security inspections was $5,616,468. Table\n                2 presents information on resources expended to perform regional\n                baseline security and safeguards inspections during calendar year\n                2005.\n\n                Table 2\n\n                   Regional Resource Expenditures for Baseline Security and\n                         Safeguards Inspections, Calendar Year 2005\n                             Total   Number of Inspection Cost Billed per\n                  Region\n                         Inspectors         Hours4                Region\n                      I       5              5,268              $1,085,710\n                     II       5              4,482               $711,265\n                    III       6              3,992               $921,843\n                    IV        5              5,992              $1,267,535\n                  Totals      21            19,734              $3,986,353\n\n\n\n\n3\n  Region II added a sixth regional security inspector after calendar year 2005; therefore, the\ncurrent number of inspectors is not reflected in Table 2.\n4\n  Figures are rounded to the nearest hour.\n\n\n\n                                                 5\n\x0c                    Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nII. PURPOSE\n\n         This audit focused on the portion of the baseline security and\n         safeguards inspection program conducted by the regional security\n         inspectors. Its objective was to assess the effectiveness of the\n         baseline security and safeguards inspection program by examining\n         the program\xe2\x80\x99s resources, training and qualification requirements,\n         and the consistency of program implementation.\n\n\n\n\n                                     6\n\x0c                       Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nIII. FINDINGS\n\n          The revised baseline security and safeguards inspection program is\n          proceeding with its first year of full regional implementation. The\n          Office of the Inspector General (OIG) found that resource levels\n          established for this program appear sufficient as regions have been\n          able to complete the program requirements even while the program\n          is more rigorous than its predecessor program; however\n          improvements are needed in:\n\n          \xc2\x89     The security training program.\n\n          \xc2\x89     The subjective approaches used by NRC inspectors in\n                determining the depth and scope of review needed to assess\n                plant security program elements.\n\n          \xc2\x89     The historical information provided to the Security Findings\n                Review Panel in the inspection finding worksheets.\n\n\n     A. Security Training Program Needs Improvement\n\n          NRC\xe2\x80\x99s security training program is in need of improvement to\n          provide assurance that key personnel have the appropriate\n          knowledge and information to complete the inspection program.\n          Specifically, (1) regional security inspectors are not receiving\n          relevant training or refresher training, (2) the qualification boards\n          are inconsistent, (3) non-security staff with oversight responsibility\n          are not receiving security training, and (4) the training program has\n          not been updated.\n\n          This occurred because NRC management has not centralized the\n          NRC security training program. Without an available, current, and\n          effective training program, there is no assurance that the security\n          program is running efficiently and that security personnel have a\n          consistent level of security knowledge.\n\n          Security Inspector Training\n\n          NRC requires all of its inspectors to be trained and qualified to\n          conduct inspections in accordance with NRC inspection\n          procedures. Training requirements for reactor inspectors are\n          contained in IMC 1245, \xe2\x80\x9cQualification Program for the Office of\n          Nuclear Reactor Regulation Programs.\xe2\x80\x9d One of the main objectives\n\n\n\n\n                                        7\n\x0c           Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nof this manual chapter is to ensure that NRC staff has the\nnecessary knowledge and skills to successfully implement the\nOffice of Nuclear Reactor Regulation programs, which include the\nbaseline security and safeguards inspection program.\n\nIMC 1245 contains several appendices that detail inspector training\nand knowledge requirements. Appendix C-4, Safeguards Inspector\nTechnical Proficiency Training and Qualification Journal, lists the\nspecifics for regional security inspectors. These specifics, outlined\nin Table 3, include requirements for inspectors to receive (1) seven\ninitial training courses and (2) refresher training on safeguards\ntechnology every 2 years. Appendix C-4 also provides independent\nself-study objectives and on-the-job training requirements.\n\nTable 3\n\n                 Required Security Inspector Training\n                            Course\n      Course Title                            Course Location\n                           Provider\nPower Plant                             Self-Study and Classroom\n                             NRC\nEngineering                             Format\nGE Technology                NRC        Technical Training Center\nWestinghouse\n                             NRC        Technical Training Center\nTechnology\nPhysical Security\n                             NRC        Technical Training Center\nFundamentals Course\nAdvanced Physical                       Federal Law Enforcement\n                             Other\nSecurity                                Training Center\nDefense Industrial                      Federal Law Enforcement\n                             Other\nSecurity Course                         Training Center\nIntroduction to Physical\nSecurity Systems             NRC        Technical Training Center\nCourse\nSafeguards Technology\n                             NRC        Technical Training Center\n(refresher course)\n\nWhile IMC 1245 requires all inspectors, including the regional\nsecurity inspectors, to meet the training and qualification program\nrequirements, it also allows for course waivers and deferrals. With\nregard to waivers, IMC 1245 states that previous work experience\nand training may be accepted as evidence that an individual\nalready possesses the required knowledge or skills. In such cases,\nthe division director may grant the individual a waiver that exempts\nthe individual from certain Appendix C-4 requirements. In addition,\nif a course is not available, an individual may request to have the\ncourse deferred. With an approved deferral, an individual may\n\n\n                            8\n\x0c                              Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n                become qualified as a regional security inspector and perform\n                security inspections. However, the inspector is still required to take\n                the required course when it becomes available.\n\n                Security Inspectors are Not Receiving Necessary Training\n\n                A majority of NRC regional security inspectors have not received all\n                seven of the specific training courses that are required by Appendix\n                C-4. Three of the four regional branch chiefs stated that if a\n                required security course is unavailable, and the regional security\n                inspector has previous training or knowledge in the area, the\n                regional security inspector will receive a waiver for this course. If\n                the regional security inspector does not have previous training or\n                knowledge in the area, the branch chief will find alternative training\n                for the inspector to take to receive the waiver. OIG reviewed\n                training records of all the training courses provided by NRC. OIG\n                found that, of the five non-refresher courses offered by the NRC\n                Technical Training Center, only two courses focusing on nuclear\n                technology were offered on a regular basis. The Physical Security\n                Fundamentals course has not been offered since 2000, while the\n                Introduction to Physical Security Systems course has been offered\n                only once since 2000. OIG determined that none of the 13 regional\n                security inspectors who became qualified after September 11,\n                2001, had received all 5 of the required non-refresher NRC-\n                provided courses.5\n\n                OIG interviewed each of the 22 regional security inspectors and\n                more than half commented on the lack of NRC training. Eight of\n                the regional security inspectors stated that Appendix C-4 courses\n                were not offered at NRC when they were trying to qualify as\n                regional security inspectors. Some inspectors stated that they\n                received waivers based on their past security experience. Others\n                stated that they had to find alternative methods to receive training\n                such as on-the-job training, self-study, or training from outside\n                sources. One regional manager said the lack of training classes\n                makes succession planning difficult. There is no assurance that\n                entry-level hires, who lack experience to qualify them for waivers,\n                will be able to get the necessary NRC training to qualify as a\n                regional security inspector.\n\n\n\n\n5\n The current Appendix C-4 became effective on April 5, 2002; therefore six of the regional\nsecurity inspectors who qualified prior to this date are not required to meet these requirements.\nThree of the regional security inspectors are not yet qualified.\n\n\n                                                 9\n\x0c                               Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n                Furthermore, despite the requirement for regional security\n                inspectors to receive refresher training on safeguards technology\n                every 2 years, none of the regional security inspectors have\n                received this training in the last 2 years. Twelve of the 22 regional\n                security inspectors have been fully qualified6 for more than 2 years\n                and therefore are overdue for this refresher course.\n\n                In the absence of the refresher course required by Appendix C-4,\n                NSIR has provided annual training activities that are similar to\n                refresher training for the last 3 years at the annual security\n                counterpart meetings. However, OIG does not believe these\n                activities rise to the level of the formalized refresher training\n                stipulated by the inspection manual.\n\n                Recommendation\n\n                OIG recommends that the Executive Director for Operations:\n\n                1.     Provide the required initial and refresher security training\n                       courses for regional security inspectors at the frequency\n                       needed to support qualification requirements.\n\n                Inspector Qualification Boards\n\n                After an individual fulfills or has been granted waivers for the\n                Appendix C-4 training requirements, he or she must take an oral\n                exam administered by a regional security inspector qualification\n                board. The purpose of this board is to confirm the individual has\n                the necessary knowledge, skills, and attitudes to independently\n                conduct the prescribed NRC inspections. Once an inspector has\n                passed the qualification exam, the regional administrator certifies\n                that the inspector is fully qualified based on a recommendation from\n                the Inspector Qualification Board. After becoming qualified, the\n                inspector may conduct full scope inspections independently. IMC\n                1245 requires that inspectors be qualified within 24 months7 of\n                being hired into the position.\n\n\n\n\n6\n  Achieving Full Inspector Qualification allows an individual to independently perform the full\nscope of inspection related activities with routine oversight and supervision.\n7\n  IMC 1245 allows for a 3-month extension to fulfill course requirements for individuals in the\nNuclear Safety Professional Development Program.\n\n\n\n                                                10\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nRegional Security Inspector Qualification Boards are\nInconsistent\n\nWhile all of NRC\xe2\x80\x99s regions conduct qualification board exams for\nregional security inspectors, each of these boards is unique with\nregard to composition and the method used to develop and\nmanage questions used during exams. For example, 1) one region\nallows the inspector seeking qualification to choose who will sit on\nthe board, 2) in another region the security branch chief makes this\ndetermination, 3) in another it is the responsibility of the training\ncoordinator, and 4) in the fourth region, the security branch chief\nand the regional security inspector work together to find people to\nsit on the qualification board. Another variation is that in one\nregion, the training coordinator is the chair of the qualification board\nwhile, in another region, a senior manager performs this role.\n\nRegional offices also use different methods to manage the\nquestions asked during the qualification exams. While each board\nmember is responsible for creating his/her own questions (based\non IMC 1245, Attachment 2 guidelines), only two regions conduct a\npurposeful review to ensure that multiple board members are not\nasking the same questions. Furthermore, not all of the regions\ntrack the questions to ensure that the questions asked are\nconsistent for all regional security inspectors within that region, or\namong other regions. Although two regions keep their own\ndatabases of questions, there is no central database of questions\nfor use by qualification boards; instead, the questions can be\ndeveloped specifically for each inspector.\n\nRecommendation\n\nOIG recommends that the Executive Director for Operations:\n\n2.   Establish rules and standards supporting a consistent\n     qualification board process across all regions.\n\nTraining for Others With Security Oversight Responsibilities\n\nIn addition to providing training requirements for inspectors, IMC\n1245 also requires that NRC staff have the necessary knowledge\nand skills to successfully implement the baseline security and\nsafeguards inspection program. While the regional security\ninspectors are primarily responsible for conducting security\ninspections at the plants, there are other NRC employees who play\na significant role in the baseline security and safeguards inspection\nprogram. These are the regional branch chiefs who supervise the\n\n\n\n                            11\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nregional security inspectors (referred to as security branch chiefs in\nthis report), voting members of the Security Findings Review Panel,\nand resident inspectors assigned to nuclear power plants. While\nthese employees have security inspection responsibilities they are\nnot required to have security training.\n\nIn supervising the regional security inspectors, security branch\nchiefs are responsible for ensuring the baseline security and\nsafeguards inspection program is implemented and for reviewing\ninspection findings prior to the issuance of the reports. IMC 0320,\n\xe2\x80\x9cOperating Reactor Security Assessment Program\xe2\x80\x9d and IMC 0102,\n\xe2\x80\x9cOversight and Objectivity of Inspectors and Examiners at Reactor\nFacilities,\xe2\x80\x9d provide guidance on the security branch chief\xe2\x80\x99s role in\nthe inspection program. These inspection manual chapters state\nthat branch chiefs should take an active role in understanding the\nlicensee security requirements, inspection activities, and inspection\nfindings.\n\nSecurity Findings Review Panel voting members are responsible\nfor reviewing and formulating a disposition on security inspection\nfindings. The Security Findings Review Panel charter states that\nvoting members will review all inspection findings and determine if\nerrors have been made in the interpretation of the inspection\nprocedures, validate consistency of the findings, and apply their\nsecurity knowledge on the requirements to ensure the findings are\npresented correctly. Security Findings Review Panel voting\nmembers are senior level staff within NSIR, the Office of Nuclear\nReactor Regulation, the Office of Nuclear Material Safety and\nSafeguards, the Office of the General Counsel, the Office of\nEnforcement, the Office of State and Tribal Programs, and regional\nDivisions of Reactor Safety and Nuclear Materials Safety.\n\nResident inspectors play a significant role in security at nuclear\npower plants because they provide the front-line presence for NRC\nat the sites and observe plant security on a daily basis. IMC 2515,\n\xe2\x80\x9cLight-Water Reactor Inspection Program \xe2\x80\x93 Operations Phase,\xe2\x80\x9d\nAppendix D, \xe2\x80\x9cPlant Status,\xe2\x80\x9d states that resident inspectors have a\nspecific responsibility, outside of inspection activities, to be aware\nof plant conditions on a routine basis.\n\n\n\n\n                            12\n\x0c                              Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n                Security Oversight Personnel Not Trained\n\n                Certain non-security personnel with security oversight\n                responsibilities are not receiving security training. Although all of\n                the security branch chiefs have a background in engineering,\n                nuclear power plant inspections, and some prior security\n                experience, none have worked as regional security inspectors.\n                These branch chiefs have not been required to take any security\n                courses after being appointed to the security branch chief position.\n                Furthermore, while Security Findings Review Panel voting\n                members are responsible for deciding if inspection findings are\n                adequate, most of these individuals lack a security background.\n                Specifically, of the seven Security Findings Review Panel voting\n                members8 who attend the meetings on a regular basis, only one\n                has professional security experience. Furthermore, none have\n                received NRC security training courses and only two have\n                observed a security inspection to understand how it works. Five of\n                these seven regular Security Findings Review Panel voting\n                members stated having a basic security training course for Security\n                Findings Review Panel voting members would be helpful.\n\n\n\n                          Have NRC Security Findings Review Panel Voting\n                              Members Observed a Baseline Security\n                                       Inspection? (N=7)\n\n                                                                  28.6%\n\n\n                                                                                 have seen\n\n                                                                                 have not\n                                                                                 seen\n                                   71.4%\n\n\n\n\n8\n  The seven members who regularly attend the Security Findings Review Panel meetings are\nfrom NSIR, the Office of the General Counsel, the Office of Enforcement, the Office of Nuclear\nReactor Regulation, the Office of Nuclear Material Safety and Safeguards, the Office of State and\nTribal Programs, and Region II.\n\n\n                                               13\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nFinally, there are no formal security training requirements that\nresident inspectors must take to become qualified. Thirty-seven\npeople were interviewed by OIG to include resident inspectors (8),\nregional security inspectors (22), security branch chiefs (4), and\nother training relating staff (3). Twenty-seven said it would be\nuseful for the resident inspectors to be provided with basic security\ntraining. Three regional security inspectors stated that security\ntraining for resident inspectors would be helpful in giving resident\ninspectors a greater ability to identify security related issues at their\nsites. Two resident inspectors said that basic security training\nwould put them in a better position to identify security issues at the\nplant. A third resident inspector said that training for resident\ninspectors is important because resident inspectors are the eyes\nand ears on site.\n\nAfter the exit conference, officials provided comments that the\nresident inspector qualification records include an On-the-Job\nActivity to familiarize themselves with the security plan and its\nimplementation for their assigned facility. Additionally, NSIR is\ndeveloping a 4-hour course for resident inspectors and NRC\nmanagers on security design basics and an overview of the security\nrequirements. However this is not an equivalent for the training\ndiscussed in this section.\n\n\n         Would Security Training for Resident Inspectors\n                       Be Useful? (N=37)\n\n\n\n               27.0%\n\n\n                                                          Useful\n                                                          Not Useful\n\n\n\n                                              73%\n\n\n\n\n                            14\n\x0c           Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\nRecommendation\n\n\nOIG recommends that the Executive Director for Operations:\n\n3.   Develop and provide a security training program for non-\n     security personnel with security oversight responsibilities.\n\nSecurity Training Program Updates\n\nThe second objective of IMC 1245 states that the inspector training\nand qualification program should remain effective in preparing\ninspectors (including regional security inspectors) to implement the\ninspection program. As such, the baseline security and safeguards\ninspection program must reflect any changes in the security\nenvironment to ensure that inspectors are receiving appropriate\ntraining. This is accomplished through periodic updates to the\nprogram.\n\nAfter the terrorist attacks of September 11, 2001, NRC identified\nthat improvements are needed in the overall security training\nprogram to address 1) the changing threat environment, 2)\nadvancements in security technologies, and 3) adversary\ncapabilities. Based on OIG\xe2\x80\x99s review of the training records, the\nagency has not implemented any improvements and the training\nprogram remains unchanged since April 2002.\n\nPursuant to its responsibility for nuclear security programs, NSIR in\n2005 created the Integrated Training Development Working Group\nto determine how to create a training program for NSIR staff. NSIR\nidentified this training need because staff have varied security\nbackgrounds. According to an NSIR manager, it is important that\nstaff have a shared basis of knowledge on security. The working\ngroup has been developing a manual chapter for training NSIR\nstaff. An NSIR manager stated that as of June 2006, about 80\npercent of this new manual chapter was drafted.\n\nWhile NSIR managers had envisioned that the new manual chapter\nwould replace Appendix C-4, there has been no formal movement\nto facilitate this.\n\nDevelopment of the Training Program Delayed\n\nAccording to an NSIR manager, progress on the development of\nthe security training program has continued at a much slower pace\n\n\n\n                           15\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nthan first anticipated because resources have been diverted to\ncomplete emergent work assignments. In addition, while senior\nNSIR officials state that they have overall responsibility for the\nsecurity inspection training program, no one has responsibility at\nthe operational level.\n\nConsistent Level of Knowledge is not Assured\n\nWithout an available, current, and effective training and qualification\nprogram there is no assurance that the security program is running\nefficiently and that security personnel have a consistent level of\nsecurity knowledge. Most regional security inspectors have an\nextensive background in the security field. However, without a\nconsistent qualification process there is no assurance that regional\nsecurity inspectors have received the appropriate training to\nconduct security inspections in accordance with the expectation of\nNRC program management. Furthermore, key non-security\npersonnel need exposure to security topics to make better informed\ndecisions and to be able to identify security issues.\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n4.   Update the security inspector training program to ensure\n     course material is current and relevant.\n\n5.   Identify a training coordinator for all security related training to\n     ensure a centralized program effort.\n\n\n\n\n                            16\n\x0c                 Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nB. Depth-of-Review Guidance is Lacking\n\n     Within the baseline security and safeguards inspection program,\n     regional security inspectors examine a prescribed number of\n     specific security program requirements to assess each inspectable\n     area. However, NRC regional security inspectors employ\n     subjective approaches to examine each of these requirements.\n     This occurs because NRC inspection procedures specify the\n     number and type of requirements to review, but do not provide\n     specific guidance on what constitutes an adequate review of each\n     requirement. This can result in inspections that vary in scope and\n     depth.\n\n     Inspection Requirements\n\n     NRC uses the term \xe2\x80\x9csample\xe2\x80\x9d to refer to specific inspection\n     requirements within each inspectable area and the term \xe2\x80\x9csample\n     size\xe2\x80\x9d to refer to the number of inspection requirements reviewed by\n     the inspector in assessing the inspectable area. Neither term is\n     used to describe the number of items reviewed within each\n     \xe2\x80\x9csample\xe2\x80\x9d; this determination is left to the inspector\xe2\x80\x99s discretion. For\n     example, one \xe2\x80\x9csample\xe2\x80\x9d within the security inspection procedures for\n     the inspectable area, Access Control, relative to search activities,\n     asks the inspectors to:\n\n     Observe in-processing searches of personnel, packages and\n     vehicles at access locations during peak ingress times to ensure\n     compliance with established procedures. Performing this\n     observation would constitute completion of one sample associated\n     with the Access Control inspectable area, and it would be up to the\n     regional security inspector to determine how many searches to\n     observe.\n\n\n\n\n                                 17\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\nNuclear power plant security checkpoint\n\nIn accordance with the policy for the operating reactor inspection\nprogram found in IMC 2515, \xe2\x80\x9cLight-Water Reactor Inspection\nProgram \xe2\x80\x93 Operations Phase,\xe2\x80\x9d Appendix A, the inspection activities\nand minimum sample sizes must be completed to provide an\nadequate assessment for each cornerstone under review. IMC\n2515 further stipulates that sample sizes specified in the inspection\nprocedures are based on the relative importance of the area\ncovered by the procedure because the underlying concept of the\nrisk-informed inspection program is that it intends to examine\nsamples which have a greater probability of impacting safe and\nsecure plant operations.\n\nAs stated in the Background section of this report, regional security\ninspectors perform inspections for 7 of the 12 inspectable areas\naddressed in the baseline security and safeguards inspection.\nTable 4, shown below as contained in IMC 2201 Appendix A, lists\nthe seven inspectable areas and the respective sample sizes listed\nin the procedure.\n\n\n\n\n                            18\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nTable 4\n\n BASELINE SECURITY AND SAFEGUARDS INSPECTABLE AREAS\n               AND ASSOCIATED SAMPLE SIZES\n Attachment Number       Inspectable Area   Sample Size\n      71130.01       Access Authorization      48\n      71130.02       Access Control            16\n      71130.04       Equipment Performance,    47\n                     Testing, and\n                     Maintenance\n      71130.05       Protective Strategy       30\n                     Evaluation\n      71130.07       Security Training         41\n      71130.08       Fitness-For-Duty          22\n                     Program\n      71130.09       Owner-Controlled Area     12\n                     Controls\n\nSubjective Approach is Used\n\nNRC regional security inspectors employ subjective approaches to\ndecide how many items to review for each inspection requirement\n\xe2\x80\x9csample,\xe2\x80\x9d which can result in inspections that vary in scope and\ndepth. OIG spoke with 22 regional security inspectors, 13 of whom\nreported they independently determine the scope and depth of the\nexamination afforded to each sample. For example, relative to the\nAccess Control area \xe2\x80\x9csearch activities\xe2\x80\x9d inspection requirement, an\ninspector may choose to observe any number of processing\nsearches he/she deems appropriate.\n\nAuditors were unable to review records to illustrate this point\nbecause such records are not maintained by NRC. However,\nauditors observed the following example of how variances could\nexist in the scope and depth of the inspector\xe2\x80\x99s handling of the\nsamples. In fulfilling an inspection procedure designed to verify\nand assess a licensee\xe2\x80\x99s protective strategy, a regional security\ninspector attempted to examine all of the licensee\xe2\x80\x99s defensive\npositions, but was advised by the branch chief to examine only a\nsample of the defensive positions. Because the procedures are\nsilent with respect to the number of items to review, the procedure\nwas being performed in the manner the inspector believed was\nbest. Yet, in this case, the inspector\xe2\x80\x99s supervisor, the branch chief,\ndisagreed and the inspector subsequently modified his approach.\nBased on OIG interviews with several branch chiefs, however, the\ninspector would not normally receive this type of guidance from his\nor her branch chief as they typically rely on the inspectors to\n\n\n                            19\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\ndetermine how many items to review per sample. One branch chief\nsaid he would use trips to observe the inspectors as an opportunity\nto discuss how the inspectors arrive at the number of items\nreviewed. Another said each line item must be completed and the\ninspector decides what will satisfy this requirement.\n\nThe regional security inspectors verified their latitude to\nindependently determine the number of items to review in the\ncompletion of the inspection procedures. When asked how sample\nsizes are determined, more than half of the regional security\ninspectors provided the following responses:\n\n\xe2\x80\xa2   Each inspector needs to be comfortable with the amount of work\n    they did and be able to justify why they did it.\n\n\xe2\x80\xa2   There is no correlation between the sample sizes designated in\n    the procedures and the amount of work done.\n\n\xe2\x80\xa2   The amount of inspecting that needs to be performed depends\n    on the inspector\xe2\x80\x99s assessment of the line item from the\n    procedures.\n\n\xe2\x80\xa2   Determination of the number of items within a sample to review\n    is left up to the inspector.\n\nNo Guidance on What Constitutes Adequate Review\n\nWhile NRC inspection procedures specify the number and type of\nprogram elements to review, they do not provide specific guidance\non what constitutes an adequate review of each element.\n\nNSIR staff has not provided necessary guidance on the scope and\ndepth of the examinations because they believe the inspectors\nshould determine what constitutes an appropriate examination.\nFurthermore, NSIR staff explained that there are other opportunities\nfor inspectors to communicate with each other on their methods of\ninspecting and thereby gain consistency. NSIR staff said that such\ncross-pollination occurs regularly during bimonthly secure\nteleconferences (\xe2\x80\x9ccounterpart calls\xe2\x80\x9d) held for regional and NSIR\nsecurity inspectors to discuss inspection issues and during weekly\nSecurity Findings Review Panel meetings, which always include\nregional and NSIR representation.\n\nAlthough NSIR staff told OIG that guidance on the number of\nexamples to review was not needed, OIG contends that such\nguidance is necessary to ensure a reliable review across the\n\n\n                            20\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nregions. For example, another sample that can be reviewed as part\nof the Access Control inspection procedure asks the inspector to:\n\nVerify that the licensee has a program in place for controlling and\naccounting for hard keys to protected and vital areas and the\nreplacement or changing the core of locks if a key is lost or\ncompromised.\n\nThe scope of work to complete this sample could be interpreted in\nvarious ways depending on 1) the amount of time an inspector has\nto perform the inspection procedure, 2) the inspector\xe2\x80\x99s experience\nwith the licensee under review, and 3) the inspector\xe2\x80\x99s comfort level\nwith the inspection procedure. An inspector might:\n\n\xe2\x80\xa2   Examine all (100 percent) of the keys and key changes ensuring\n    they are located as identified in the control journal and that\n    changes were all performed in accordance with the procedures.\n\n\xe2\x80\xa2   Review the applicable control journals, randomly selecting a few\n    keys from each page for a complete review.\n\n\xe2\x80\xa2   Review the procedures, interview licensee employees about the\n    implementation of the procedures, and observe how the keys\n    are stored.\n\nAny of these methods would constitute completion of the sample;\nyet, the depth of the review and the assurance gained that\nprocedures are followed would vary greatly. Guidance is needed to\nensure that a consistent standard of review is achieved.\n\nInadequate Review Could Result\n\nThe lack of guidance on the number of items to review and the\nsubjectivity of the inspection procedures could prevent the\nlicensees from receiving an adequate review by the regional\nsecurity inspectors because of the varied interpretations that could\nbe applied to the performance of the procedures. The adequacy of\nassessing licensee performance through the baseline inspection\nprogram depends on the quality (scope and depth of the inspector\xe2\x80\x99s\nexamination) of the samples chosen for inspection.\n\n\n\n\n                            21\n\x0c           Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n6.   Include guidance in the baseline security and safeguards\n     inspection procedures to ensure inspectors review an\n     adequate number of sample items to assess the effectiveness\n     of the licensee\xe2\x80\x99s security program.\n\n7.   Implement training on how to select an adequate number of\n     sample items.\n\n\n\n\n                           22\n\x0c                 Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nC.   No Systematic Process for Compiling Historical Data\n\n     The Security Findings Review Panel needs to have complete\n     historical information on security-related findings. This is so the\n     voting panel members can perform their responsibilities of ensuring\n     NRC is consistent in its regulatory response to findings across the\n     nuclear industry. Yet, there is no guarantee that the historical\n     information is complete because there is no systematic process for\n     compiling the historical data and the existing process relies on the\n     memory of the regional security inspectors. Furthermore, a\n     centralized database of security findings, which is maintained by\n     NSIR, could serve this purpose but has not been shared with the\n     regions. As a result, the consistent handling of security findings is\n     not well supported.\n\n     Security Findings Review Panel Charter\n\n     The Security Findings Review Panel charter requires the use of\n     complete historical information on security-related findings. The\n     panel meets its objective through a review of the security findings,\n     unresolved items, and potential findings resulting from the security\n     inspections and then approves the approach to disposition them.\n     The panel consists of designated senior level staff within NSIR, the\n     Office of Nuclear Reactor Regulation, the Office of Nuclear Material\n     Safety and Safeguards, the Office of the General Counsel, the\n     Office of Enforcement, the Office of State and Tribal Programs, and\n     regional Divisions of Reactor Safety and Nuclear Materials Safety.\n\n     The panel meets on a weekly basis and, in preparation for the\n     meeting, members are provided with Security Findings Review\n     Panel worksheets on each inspection finding. The worksheets,\n     which are prepared and submitted by the regional security\n     inspectors, include a brief summary of the issues and a description\n     of the requirement that was violated, as well as the region\xe2\x80\x99s\n     recommendation for adjudicating the issue. When a common or\n     programmatic weakness has affected multiple physical protection\n     attributes, plants, sites, or functions, this information must also be\n     included on the Security Findings Review Panel worksheet. To\n     fulfill this information need, the regional security inspectors must\n     provide the following historical information to inform the panel about\n     the handling of prior issues:\n\n\n\n\n                                 23\n\x0c            Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\xe2\x80\xa2   Related historical findings from this licensee.\n\n\xe2\x80\xa2   Related historical findings from other licensees within the\n    region.\n\n\xe2\x80\xa2   Historical precedent \xe2\x80\x93 if this finding has been through the\n    Security Findings Review Panel previously.\n\nProcess Relies on Memory\n\nThere is no guarantee that the historical information the panel\nreceives from the Security Findings Review Panel worksheets is\ncomplete because the process for compiling the historical\ninformation is not systematic and relies on the memory of the\nregional security inspectors.\n\nRegional security inspectors and their branch chiefs said\nconsiderable time and effort is invested in preparing the Security\nFindings Review Panel worksheets for the panel meetings and that\nthey rely mostly on memory to complete this portion of the\nworksheet. Inspectors reported keeping \xe2\x80\x9cmental notes\xe2\x80\x9d of the\nissues they have seen. Two inspectors said they have on occasion\nhad to ask the Security Findings Review Panel coordinator, from\nNSIR, to provide them with information on past findings because\nthey could not remember and needed clarification.\n\nRegional security inspectors characterized the process of\ndocumenting historical security findings information as relying on\nthe information they know and excluding the universe of information\nthat might be available.\n\nDatabase Not Shared With Regions\n\nSecurity Findings Review Panel worksheets are compiled primarily\nbased on regional security inspectors\xe2\x80\x99 memory because the regions\nhave not been provided access to the database of security findings.\nNSIR maintains a centralized database compiled from data\ncontained on the Security Findings Review Panel worksheets;\nhowever, it is not always up to date and has not been shared with\nthe regions. NSIR staff explained that the database is not up to\ndate because there is a lack of staff to complete and maintain the\ndatabase. They also said that they have been unable to share the\ndatabase with the regions because of the logistics associated with\nstoring and sharing safeguards information. Despite this concern,\n\n\n\n\n                            24\n\x0c           Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nNRC has overcome the logistical issues at various times and used\nthe database to provide statistics quickly to senior NRC managers,\nCongress, and others.\n\nConsistent Handling of Security Findings is Not Well\nFacilitated\n\nBecause the database of security findings is not shared with the\nregions, the handling of security findings is not well facilitated as\nthe Security Findings Review Panel must rely on the memory of the\nregional security inspectors.\n\nA systematic approach to maintaining security findings would\nbenefit regional security inspectors, who said they spend\nconsiderable time and effort preparing the Security Findings\nReview Panel worksheets. It would also ensure that the Security\nFindings Review Panel has access to reliable and complete\nhistorical information and efficiently meets its objective of\nperforming a thorough review of the security findings.\n\nRecommendation\n\nOIG recommends that the Executive Director for Operations:\n\n8.   Maintain and share the NSIR database of security findings\n     with the regions.\n\n\n\n\n                           25\n\x0c                   Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nIV. AGENCY COMMENTS\n\n        During an exit conference held August 15, 2006, the agency\n        generally agreed with the audit findings and recommendations and\n        provided comments concerning the draft audit report. We modified\n        the report as we determined appropriate in response to these\n        comments. NRC reviewed these modifications and opted not to\n        submit formal written comments to this final version of the report.\n\n\n\n\n                                   26\n\x0c                    Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.   Provide the required initial and refresher security training\n             courses for regional security inspectors at the frequency\n             needed to support qualification requirements.\n\n        2.   Establish rules and standards supporting a consistent\n             qualification board process across all regions.\n\n        3.   Develop and provide a security training program for non-\n             security personnel with security oversight responsibilities.\n\n        4.   Update the security inspector training program to ensure\n             course material is current and relevant.\n\n        5.   Identify a training coordinator for all security related training to\n             ensure a centralized program effort.\n\n        6.   Include guidance in the baseline security and safeguards\n             inspection procedures to ensure inspectors review an\n             adequate number of sample items to assess the effectiveness\n             of the licensee\xe2\x80\x99s security program.\n\n        7.   Implement training on how to select an adequate number of\n             sample items.\n\n        8.   Maintain and share the NSIR database of security findings\n             with the regions.\n\n\n\n\n                                    27\n\x0cAudit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                28\n\x0c                   Audit of NRC\xe2\x80\x99s Baseline Security and Safeguards Inspection Program\n\n\n                                                                         Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors reviewed the effectiveness of the baseline security and\n       safeguards inspection program by examining the program\xe2\x80\x99s\n       resources, training and qualification requirements, and the\n       consistency of program implementation.\n\n       The OIG audit team reviewed relevant criteria, including NRC IMC\n       1245, \xe2\x80\x9cQualification Program for the Office of Nuclear Reactor\n       Regulation Program\xe2\x80\x9d; and Inspection Procedure 71130, \xe2\x80\x9cPhysical\n       Protection.\xe2\x80\x9d The audit team also reviewed the Security Findings\n       Review Panel charter.\n\n       Auditors interviewed NSIR and regional staff to better understand\n       the development, implementation, and management of the\n       inspection program. Auditors interviewed regional security\n       inspectors in all four regional offices and observed a baseline\n       security and safeguards inspection at one site in each of the NRC\n       regions to understand how the inspection program is applied.\n       Auditors interviewed licensee security staff at four reactor sites to\n       obtain their comments concerning the baseline security and\n       safeguards inspection program.\n\n       Auditors compared training records of the regional security\n       inspectors with the courses that are required by IMC 1245\n       Appendix C-4, \xe2\x80\x9cSafeguards Inspector Technical Proficiency\n       Training and Qualification Journal,\xe2\x80\x9d to determine what training the\n       inspectors were receiving. In addition, auditors reviewed Human\n       Resources Management System records for calendar year 2005 to\n       determine how regional inspectors spend their time.\n\n       This work was conducted from December 2005 through April 2006,\n       in accordance with generally accepted Government auditing\n       standards and included a review of management controls related to\n       audit objectives. The work was conducted by Beth Serepca, Team\n       Leader; Shyrl Coker, Audit Manager; David Ditto, Senior\n       Management Analyst; and Rebecca Underhill, Management\n       Analyst.\n\n\n\n\n                                   29\n\x0c'